Ransomware

Ransomware is a class of malicious software that denies access to a victim's data or systems — typically through encryption — and demands a ransom payment in exchange for the decryption key. Modern ransomware operations frequently combine encryption with data theft, threatening to publish stolen data on leak sites if the ransom is not paid. This tactic is known as double extortion. Some advanced groups add a third layer by launching DDoS attacks or contacting victims' customers directly, a practice called triple extortion.

Ransomware is one of the most operationally and financially damaging attack categories facing organizations today. A successful attack can halt business operations, destroy backups, trigger regulatory breach notifications, and result in multi-million dollar losses — even when no ransom is paid. Healthcare, critical infrastructure, and manufacturing sectors are frequent targets due to their low tolerance for downtime. Ransomware groups operate as organized criminal enterprises with dedicated infrastructure, negotiation teams, and affiliate programs (Ransomware-as-a-Service, or RaaS).

Ransomware typically follows a structured kill chain: initial access (phishing, exposed RDP, exploited vulnerability), privilege escalation, lateral movement, reconnaissance of backup systems, data exfiltration, and finally payload deployment. Encryption is performed using a hybrid scheme — a symmetric key (e.g., AES-256) encrypts the files, and an attacker-controlled asymmetric key (e.g., RSA-2048) encrypts the symmetric key, ensuring decryption is only possible with the attacker's private key. The ransom note instructs victims to contact the group via Tor-hosted portals.